Re: Deleting shortcuts when they are for a C: program

From: David Candy (.)
Date: 11/26/04 

Date: Fri, 26 Nov 2004 21:27:59 +1100

Nothing to do with security works in Home but if you boot to safe mode security becomes available. Maybe auditing becomes available too.

Process Explorer from www.sysinternels.com does similar to oh. It's a gui program. You may want to look at that.

Are you on a network? 

-- 
----------------------------------------------------------
http://www.uscricket.com
"antispam" <antispam@discussions.microsoft.com> wrote in message news:E17D497B-4616-4470-9251-2C79EE5CC9C2@microsoft.com...
> OK I typed auditing in help and this is what I got...
> 
> SUMMARY
> As an administrator of a Windows XP Professional-based computer, you can 
> configure your computer to audit user access to files, folders and printers. 
> This facility is unavailable on Windows XP Home Edition.
> 
> 
> Since I am using XP home, I assume this means I cannot do this...  Well, 
> this has been drawn out way to long already, perhaps I must accept defeat and 
> just let that stay on the desktop.  
> 
> 
> "David  Candy" wrote:
> 
>> Did you discover why the cacls you typed didn't work?
>> 
>> Hopefully auditing will show what program or virus is doing it. Most people can't use auditing so noone know what it is. Auditing records access to something (what you specify it to) in Windows. It's off by default because it slows down the computer and often noone cares.
>> 
>> 1. Turn on auditing (this turns it on but nothing is being audited)
>> 2. Set auditing for just this file (else you'll get millions of messages to sort through if you audit everything).
>> 
>> 
>> 1. You must enable Auditing for the machine (in Local Security Policy - see Help).
>> 
>> 2. You must specify what to audit. You do this the same place you set permissions (click Advanced).
>> 
>> Then you can read it in the Event Viewer
>> 
>> 
>> Audit object access
>> Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
>> 
>> Description
>> Determines whether to audit the event of a user accessing an object-for example, a file, folder, registry key, printer, and so forth-that has its own system access control list (SACL) specified.
>> 
>> If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified. To set this value to no auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes. 
>> 
>> Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.
>> 
>> Default: No auditing.
>> 
>> 
>> 
>> Then set auditing for your file in the Drives Properties - Security - Advanced - Auditing
>> 
>> You have to turn it on then set what is to be audited.
>> 
>> This is what a audit for a printer looks like
>> 
>> Object Open:
>> Object Server: Spooler
>> Object Type: Document
>> Object Name: http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
>> Handle ID: 9487952
>> Operation ID: {-,-}
>> Process ID: 1020
>> Image File Name: C:\WINDOWS\system32\spoolsv.exe
>> Primary User Name: SERENITY$
>> Primary Domain: WORKGROUP
>> Primary Logon ID: (0x0,0x3E7)
>> Client User Name: David Candy
>> Client Domain: SERENITY
>> Client Logon ID: (0x0,0xE179)
>> Accesses: READ_CONTROL 
>> %%6949
>> Privileges: -
>> Restricted Sid Count: 0
>> For more information, see Help and Support Center at 
>> 
>> Big companies have programs that look through these logs. You can use a spread***.
>> 
>> 
>> -- 
>> ----------------------------------------------------------
>> http://www.uscricket.com
>> "antispam" <antispam@discussions.microsoft.com> wrote in message news:E2526B8F-81FF-4F4D-8703-352EAD7AA963@microsoft.com...
>> > Ok, David, doing it the way you suggested below gives me this;
>> > 
>> > OWNER-FFZ077CHR\TEST:F
>> > NT AUTHORITY\SYSTEM:F
>> > BUILTIN\Adminstrators:F
>> > 
>> > If I am reading this correctly, it telle me that TEST, (ME) has F= FULL 
>> > permissions for the file, yes? I dunno...
>> > 
>> > 
>> > 
>> > "David  Candy" wrote:
>> > 
>> >> Something is wrong there.
>> >> 
>> >> If the file exists you get the permissions.
>> >> 
>> >> If the file doesn't exist it says it can't find.
>> >> 
>> >> It displays what you saw if you type something it can't understand, but your typing seems fine. If you screwed up the name it would say File Not Found. And we only have a name as a parameter so it should say Not Found or the permissions.
>> >> 
>> >> Try agian this way.
>> >> 
>> >> Start cmd, type 
>> >> cacls
>> >> then a space. From Explorer drag the file into the cmd window (it will type the name correctly for you). Press Enter.
>> >> -- 
>> >> ----------------------------------------------------------
>> >> http://www.uscricket.com
>> >> "antispam" <antispam@discussions.microsoft.com> wrote in message news:7549D574-9757-407D-9CA4-6875F05FAFFE@microsoft.com...
>> >> > OK David, I typed in the msinfo32... PAC.EXE was not in the list under Loaded 
>> >> > Modules
>> >> > 
>> >> > I then typed this; cacls "C:\Documents and Settings\TEST\desktop\pac.exe"
>> >> > 
>> >> > Response:
>> >> > 
>> >> > Displays or modifies access control lists (ACLs) of files
>> >> > CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
>> >> >                        [/P user:perm [...]] [/D user [...]]
>> >> >     filename         Displays ACLs.
>> >> >     /T                  Changes ACLs of specified files in the current dir 
>> >> > and all sub dirs.
>> >> >     /E                  Edit ACl instead of replacing it.
>> >> >     /C                  Continue on access denied errors.
>> >> >     /G user:perm  Grant specified user access rights.
>> >> >                          Perm can be: R Read
>> >> >                                              W Write
>> >> >                                              C Change (write)
>> >> >                                              F Full control
>> >> > /R user                Revoke specified user access rights (only valid with 
>> >> > /E)
>> >> > /P user:perm        Replace specified user access rights.
>> >> >                           Perm can be: N None
>> >> >                                               R Read
>> >> >                                               W Write
>> >> >                                               C Change (write)
>> >> >                                               F Full control
>> >> > /D                        deny specified user access.
>> >> > wildcards can be used to specifi more than one file in a command.
>> >> > You can specify more than one user in a command.
>> >> > 
>> >> > Abbreviations:
>> >> >     CI - Container Inherit.
>> >> >     OI - Object inherit
>> >> >     IO -  Inherit only
>> >> > 
>> >> > Obvioulsy I have NO idea what all this is or means. :(((
>> >> > 
>> >> > P.S.  DARREL S.  I did try your suggestion also.  However, I still got the.. 
>> >> > cannot delete as file is being used by another person or program, blah blah
>> >> > 
>> >> > Anti 
>> >> > 
>> >> > 
>> >> > 
>> >> > "David  Candy" wrote:
>> >> > 
>> >> >> Yes it means nothing has it open (although this doesn't find running programs holding themselves (or really XP) open).
>> >> >> 
>> >> >> Therefore we'll retest the hypothsis of it running.
>> >> >> 
>> >> >> Type msinfo32 in Start Run, go to the Software Environment - Loaded Modules
>> >> >> If it ain't in this list it's aint running (sort the list to make it easy to confirm it is/isn't there)
>> >> >> 
>> >> >> To test security (and the GUI procedure is different for home/pro so we'll use the command line)
>> >> >> Type 
>> >> >> cacls "%userprofile%\desktop\pac.exe"
>> >> >> 
>> >> >> Assuming TEST user is you. If not spell out the %userprofile% (eg for me it's C:\Documents and Settings\David Candy)
>> >> >> cacls "C:\Documents and Settings\TEST\desktop\pac.exe"
>> >> >> 
>> >> >> -- 
>> >> >> ----------------------------------------------------------
>> >> >> http://www.uscricket.com
>> >> >> "antispam" <antispam@discussions.microsoft.com> wrote in message news:ED330960-31DA-4C6A-AB69-8F384892FB06@microsoft.com...
>> >> >> > Ok, I did this again this morning;
>> >> >> > 
>> >> >> > typed:       oh +otl
>> >> >> > response: Enabled 'object type list' flag needed by the OH utility. Will 
>> >> >> > take effect next time you boot
>> >> >> > 
>> >> >> > rebooted
>> >> >> > 
>> >> >> > typed: oh /t file pac.exe
>> >> >> > response: //
>> >> >> >               // TIME: 2004-11-23 08:07
>> >> >> >               // MACHINE: Owner-FFZ077CHR
>> >> >> >               // BUILD: 2600
>> >> >> >               // OH version:  built by: dnsrv_dev(v-smgum)
>> >> >> >               //
>> >> >> >               //
>> >> >> > 
>> >> >> > That is all I got.  Nothing other than that. Does this mean there is NO 
>> >> >> > program that has pac.exe open.  Also, the other user ID was also me, I 
>> >> >> > deleted the other one but the current ID I am using has all administrator 
>> >> >> > functions assigned to it. 
>> >> >> > 
>> >> >> > 
>> >> >> > 
>> >> >> > 
>> >> >> > "David  Candy" wrote:
>> >> >> > 
>> >> >> >> And what did typing oh say. I'm going out now so don't expect a quick reply.
>> >> >> >> 
>> >> >> >> Deleting a user doesn't free up their files. Just makes it so noone has access. If it is a permission thing type in help and read carefully (repeat read carefully) taking ownership.
>> >> >> >> 
>> >> >> >> -- 
>> >> >> >> ----------------------------------------------------------
>> >> >> >> http://www.uscricket.com
>> >> >> >> "antispam" <antispam@discussions.microsoft.com> wrote in message news:CE064DF9-FAA9-47E9-9522-6740821C9187@microsoft.com...
>> >> >> >> > Pac.exe  is the executable for a game titled Pacific War.  It is a DOS based 
>> >> >> >> > game  that I have had for played since 1992.  I have been playing it on THIS 
>> >> >> >> > computer for 2 years.  The game worked fine using the compatability settings. 
>> >> >> >> > I am ready to delete it now and I just cannot get the pac.exe off of my 
>> >> >> >> > desktop.  I thought perhaps it was somehow linked to a diff user name on my 
>> >> >> >> > system so I deleted the only other user name for this system, still cannot 
>> >> >> >> > delete this file.
>> >> >> >> > 
>> >> >> >> > I am almost at the point of giving up. Obviously this is getting technical 
>> >> >> >> > and thats NOT were I can follow.  
>> >> >> >> > 
>> >> >> >> > Anti
>> >> >> >> > 
>> >> >> >> > "David  Candy" wrote:
>> >> >> >> > 
>> >> >> >> >> It's common here to use <something> to indicate you fill it in with your specific request. In this case the exe file that is open.
>> >> >> >> >> 
>> >> >> >> >> What is pac.exe and where did it come from?
>> >> >> >> >> 
>> >> >> >> >> -- 
>> >> >> >> >> ----------------------------------------------------------
>> >> >> >> >> http://www.uscricket.com
>> >> >> >> >> "antispam" <antispam@discussions.microsoft.com> wrote in message news:FDF07A31-740A-4208-B1D9-CC23B443C7A4@microsoft.com...
>> >> >> >> >> > ok, I did as you suggested... but, after I typed "oh /t file <filename> which 
>> >> >> >> >> > looked like this by the way: oh /t pac.exe  I got this;
>> >> >> >> >> > //
>> >> >> >> >> > // TIME: 2004-11-22 21:29
>> >> >> >> >> > // MACHINE: Owner-FFZ088CGR
>> >> >> >> >> > // BUILD: 2600
>> >> >> >> >> > // OH version:  built by: dnsrv_dev(v-smgum)
>> >> >> >> >> > //
>> >> >> >> >> > 
>> >> >> >> >> > I am not sure what you mean by EG???
>> >> >> >> >> > 
>> >> >> >> >> > at any rate I then tried: oh /t pac.exe and got this message;
>> >> >> >> >> > 
>> >> >> >> >> > //exception C0000005 raised within OH process. Aborting ....
>> >> >> >> >> > 
>> >> >> >> >> > So, I guess I need to know in idiot terms what you mean by this;
>> >> >> >> >> > 
>> >> >> >> >> > "EG to see what program has inbox.dbx open (OE's inbox file)"
>> >> >> >> >> > 
>> >> >> >> >> > Anti..
>> >> >> >> >> > 
>> >> >> >> >> > 
>> >> >> >> >> > "David  Candy" wrote:
>> >> >> >> >> > 
>> >> >> >> >> >> That tells us another program has the file open. If the file had itself open you can rename it.
>> >> >> >> >> >> 
>> >> >> >> >> >> Use oh.exe from the windows 2003 resource kit tools http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
>> >> >> >> >> >> 
>> >> >> >> >> >> Type
>> >> >> >> >> >> oh +otl
>> >> >> >> >> >> reboot
>> >> >> >> >> >> then
>> >> >> >> >> >> oh /t file <filename>
>> >> >> >> >> >> or leave filename blank to see all.
>> >> >> >> >> >> 
>> >> >> >> >> >> EG to see what program has inbox.dbx open (OE's inbox file)
>> >> >> >> >> >> 
>> >> >> >> >> >> oh /t file inbox.dbx
>> >> >> >> >> >> which returns
>> >> >> >> >> >> 
>> >> >> >> >> >> //
>> >> >> >> >> >> // TIME: 2004-03-30 19:50
>> >> >> >> >> >> // MACHINE: SERENITY
>> >> >> >> >> >> // BUILD: 2600
>> >> >> >> >> >> // OH version:  built by: dnsrv_dev(v-smgum)
>> >> >> >> >> >> //
>> >> >> >> >> >> //
>> >> >> >> >> >> 00000CF0 msimn.exe      File           050c \Documents and Settings\David Candy\
>> >> >> >> >> >> Local Settings\Application Data\Identities\{E6E1A8F2-C885-46A5-975E-94A4A1F8C788
>> >> >> >> >> >> }\Microsoft\Outlook Express\Inbox.dbx
>> >> >> >> >> >> 
>> >> >> >> >> >> [Microsoft Internet Mail And News (MSIMN.EXE) is the real name of Outlook Express rather than the marketing name. Office's Outlook internet features is a copy of Outlook Express. OL stole OE's code while OE got OL's name. OE got ripped off.]
>> >> >> >> >> >> 
>> >> >> >> >> >> 
>> >> >> >> >> >> -- 
>> >> >> >> >> >> ----------------------------------------------------------
>> >> >> >> >> >> http://www.uscricket.com
>> >> >> >> >> >> "antispam" <antispam@discussions.microsoft.com> wrote in message news:6E10F83C-C247-415B-8E7C-C59EBB73D502@microsoft.com...
>> >> >> >> >> >> >I have tried that already.. just tried again.. after the caution if you 
>> >> >> >> >> >> > rename a file it may become unstable..... statement I go ahead and it will 
>> >> >> >> >> >> > not change, still says "CANNOT RENAME: Being used by another program or 
>> >> >> >> >> >> > person....."
>> >> >> >> >> >> > 
>> >> >> >> >> >> > "David  Candy" wrote:
>> >> >> >> >> >> > 
>> >> >> >> >> >> >> Rename the file, reboot, delete.
>> >> >> >> >> >> >> 
>> >> >> >> >> >> >> -- 
>> >> >> >> >> >> >> ----------------------------------------------------------
>> >> >> >> >> >> >> http://www.uscricket.com
>> >> >> >> >> >> >> "Antispam" <Antispam@discussions.microsoft.com> wrote in message news:B73E4CC8-878F-41E7-A1CB-88ACD7A9FF8E@microsoft.com...
>> >> >> >> >> >> >> >I mis-identified when I originally posted and I apologize to you all.  It is 
>> >> >> >> >> >> >> > an actual .exe progam saved on desktop, NOT a shortcut to the program.  
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> > I tried to delete it in SAFE MODE.  Still get the, cannot delete...   
>> >> >> >> >> >> >> > If by command prompt you mean the C: prompt, I have tried that, but cannot 
>> >> >> >> >> >> >> > enter the commands to get to that particular directory.  I am very DOS 
>> >> >> >> >> >> >> > ignorant.  for example, the file is in this directory;
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> > C:\Documents and Settings\TEST\Desktop
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> > When I try to go to that directory by typing this;
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> > cd C:\Documents and Settings\TEST\Desktop
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> > It tells me unrecognized paramaters.. 
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> > ???
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> > "Will Denny" wrote:
>> >> >> >> >> >> >> > 
>> >> >> >> >> >> >> >> "Haggis" <bingsnapREMOVE@THIShotmail.com> wrote in message 
>> >> >> >> >> >> >> >> news:eO5Ef6M0EHA.1568@tk2msftngp13.phx.gbl...
>> >> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >> > "Will Denny" <willdenny@mvps.org> wrote in message 
>> >> >> >> >> >> >> >> > news:OPBu3MM0EHA.3120@TK2MSFTNGP12.phx.gbl...
>> >> >> >> >> >> >> >> >> Hi
>> >> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> >> Try and delete the shortcut from a command prompt.
>> >> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> >> -- 
>> >> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> >> Will Denny
>> >> >> >> >> >> >> >> >> MS-MVP - Windows Shell/User
>> >> >> >> >> >> >> >> >> Please reply to the News Groups
>> >> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> >> "Antispam" <Antispam@discussions.microsoft.com> wrote in message 
>> >> >> >> >> >> >> >> >> news:D859B7D3-D446-48E0-AA38-B5D2DA7A239D@microsoft.com...
>> >> >> >> >> >> >> >> >>>I have XP Home, SP2
>> >> >> >> >> >> >> >> >>>
>> >> >> >> >> >> >> >> >>> I have a shortcut on my desk top that was created for a game I play 
>> >> >> >> >> >> >> >> >>> which
>> >> >> >> >> >> >> >> >>> was originally a  "DOS" game.  I would like to remove the shortcut icon.
>> >> >> >> >> >> >> >> >>> However, I get this when I try to delete it. ....
>> >> >> >> >> >> >> >> >>>
>> >> >> >> >> >> >> >> >>> "Cannot delete, it is being used by another program or person. Close any
>> >> >> >> >> >> >> >> >>> programs that might be using this file and try again".
>> >> >> >> >> >> >> >> >>>
>> >> >> >> >> >> >> >> >>> I have no idea about that because the program in question has not been 
>> >> >> >> >> >> >> >> >>> used
>> >> >> >> >> >> >> >> >>> for several months and I am the only user.  I have tried to go into 
>> >> >> >> >> >> >> >> >>> command
>> >> >> >> >> >> >> >> >>> prompt and delete from there but, the ("DOS") file is buried 4 
>> >> >> >> >> >> >> >> >>> directories
>> >> >> >> >> >> >> >> >>> deep and there seems to be a problem getting to them based on the SIZE 
>> >> >> >> >> >> >> >> >>> of the
>> >> >> >> >> >> >> >> >>> directories.
>> >> >> >> >> >> >> >> >>>
>> >> >> >> >> >> >> >> >>> Any suggestions would be appreciated.
>> >> >> >> >> >> >> >> >>>
>> >> >> >> >> >> >> >> >>> Thanks you.
>> >> >> >> >> >> >> >> >>>
>> >> >> >> >> >> >> >> >>> antispam4now@aol.com(donotspam)
>> >> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> >>
>> >> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >> > try it in safe mode
>> >> >> >> >> >> >> >> 
>> >> >> >> >> >> >> >> Hi
>> >> >> >> >> >> >> >> 
>> >> >> >> >> >> >> >> That's the next option - if the file can't be deleted from a command prompt.
>> >> >> >> >> >> >> >> 
>> >> >> >> >> >> >> >> 
>> >> >> >> >> >> >> >> -- 
>> >> >> >> >> >> >> >> 
>> >> >> >> >> >> >> >> Will Denny
>> >> >> >> >> >> >> >> MS-MVP - Windows Shell/User
>> >> >> >> >> >> >> >> Please reply to the News Groups
>> >> >> >> >> >> >> >> 
>> >> >> >> >> >> >> >> 
>> >> >> >> >> >> >> >> 
>> >> >> >> >> >> >> >>
>> >> >> >> >> >> >>
>> >> >> >> >> >>
>> >> >> >> >>
>> >> >> >>
>> >> >>
>> >>
>>